Re: [dns-privacy] Stephen Farrell's Discuss on draft-ietf-dprive-dns-over-tls-07: (with DISCUSS and COMMENT)
"Wessels, Duane" <dwessels@verisign.com> Wed, 09 March 2016 18:43 UTC
Return-Path: <dwessels@verisign.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D24D12D926 for <dns-privacy@ietfa.amsl.com>; Wed, 9 Mar 2016 10:43:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([127.0.0.1]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YAtCem5edLKy for <dns-privacy@ietfa.amsl.com>; Wed, 9 Mar 2016 10:43:56 -0800 (PST)
Received: from mail-qg0-x262.google.com (mail-qg0-x262.google.com [IPv6:2607:f8b0:400d:c04::262]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DC1612D930 for <dns-privacy@ietf.org>; Wed, 9 Mar 2016 10:43:54 -0800 (PST)
Received: by mail-qg0-x262.google.com with SMTP id h8so5583056qge.2 for <dns-privacy@ietf.org>; Wed, 09 Mar 2016 10:43:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verisign-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language:content-id :content-transfer-encoding:mime-version; bh=6HXZwXhsDFa1HNfnb6RCCckTH7wAkgXh9XS33KTOvFo=; b=HPh9uQHElCm38Hc3DmprHn1g1IvVc97EVk6zcWPT73HrtQG3tRsSCjhMvAz8N/EvbZ Cce2/y6jdeEkWu+Y0eGO5olpZ2XfJagFPMzNwRXq5D0jDHUtqXfvNyp0P/f6WalZocLs 7bDUDdJKZw239PR0Brry6kNmskNoeByLk0Yh5vO5nURI8J02p4su4JL2gi6FRMvr+kwz 0H5bWghGJMUNxBz56dL09L5E6HZTTD1BLrY7WX3FZ8McVNS05BcEdhMadSQXwQhWAI+v nHWEQ0kyyAdObgrv30L37Z/sSOnDZOpBxP6AW3ZFB/e82uZxBnD0F114ApwoYCuvmeoD NYiQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:thread-topic:thread-index :date:message-id:references:in-reply-to:accept-language :content-language:content-id:content-transfer-encoding:mime-version; bh=6HXZwXhsDFa1HNfnb6RCCckTH7wAkgXh9XS33KTOvFo=; b=EqXVPWh156IcUt5BD+dUWgq4lfbWJ7TEerSeAESxce33YEK2XckWg/xYBx6g6/vLM3 zdCvyR2O3zTCMnlExrWPSlrQ/BIxC0Qtv4AHMIZ1J59QJ2JwnHbFlm1msfMhS5UEEJ93 /pWgloX39tZZfafFBIr9eA+WW+c3YH0b84sfJ46FI+u7MX0HjWKRfTWBAGDm/VmcQMJX dL6SBnXDtb8R2kDPw6VKMnW3iWaJHFN+FI7+s+qr9EpKZ9houidfJU0cUobiHqNmlY89 095REhoTBQRJAGqXB3tm5VvxLAwmbinB1z8jw8Sj3YafCz+SGObSdWDM/3B4CmJk0ArI TuMw==
X-Gm-Message-State: AD7BkJJnVfCnBpc2K1MvpWxqh4Kfm1T1v9+d2bAFthBWikqjHLSarMTOd9Um4rw59wWYipxl0PoTiLBYsgnbjBOSnMZKdi7Y
X-Received: by 10.55.197.76 with SMTP id p73mr45398338qki.75.1457549033535; Wed, 09 Mar 2016 10:43:53 -0800 (PST)
Received: from brn1lxmailout02.verisign.com (brn1lxmailout02.verisign.com. [72.13.63.42]) by smtp-relay.gmail.com with ESMTPS id x75sm1388208qkx.7.2016.03.09.10.43.53 (version=TLS1 cipher=AES128-SHA bits=128/128); Wed, 09 Mar 2016 10:43:53 -0800 (PST)
X-Relaying-Domain: verisign.com
Received: from brn1wnexcas01.vcorp.ad.vrsn.com (brn1wnexcas01 [10.173.152.205]) by brn1lxmailout02.verisign.com (8.13.8/8.13.8) with ESMTP id u29Ihq8t004141 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 9 Mar 2016 13:43:53 -0500
Received: from BRN1WNEXMBX02.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Wed, 9 Mar 2016 13:43:50 -0500
From: "Wessels, Duane" <dwessels@verisign.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Thread-Topic: Stephen Farrell's Discuss on draft-ietf-dprive-dns-over-tls-07: (with DISCUSS and COMMENT)
Thread-Index: AQHReg6xm11l7pQYoEaC41e3MKdhUJ9Rxu8A
Date: Wed, 09 Mar 2016 18:43:49 +0000
Message-ID: <B870977A-D693-491E-B0FF-B97120C98CD8@verisign.com>
References: <20160309141923.27481.29744.idtracker@ietfa.amsl.com>
In-Reply-To: <20160309141923.27481.29744.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.173.152.4]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <46FBA342851C66419617CA87664441FE@verisign.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/ZuTv8zJtwKdQTP69OdqpD5I4NK8>
Cc: Allison Mankin <allison.mankin@gmail.com>, "draft-ietf-dprive-dns-over-tls@ietf.org" <draft-ietf-dprive-dns-over-tls@ietf.org>, Sara Dickinson <sara@sinodun.com>, The IESG <iesg@ietf.org>, "dprive-chairs@ietf.org" <dprive-chairs@ietf.org>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Subject: Re: [dns-privacy] Stephen Farrell's Discuss on draft-ietf-dprive-dns-over-tls-07: (with DISCUSS and COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2016 18:43:57 -0000
> On Mar 9, 2016, at 6:19 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > Starting with the easy ones... > > - abstract: rfc-ed prefers s/[RFC7258]/(RFC7258)/ in abstracts Okay, fixed. > > - abstract: would RFC7626 be a better thing to point at from here > instead of RFC7258? Yes I think thats a good change. > > - intro: maybe "recently adopted" is no longer true, consider > rephrasing? s/recently/also/ > > - intro: Might be better to refer to RFC7525 as BCP195, so that you > don't need to say "or its successors." Same thing in 3.2. Ack, done. > > - 3.1: "purely for encrypted communications" is good - but do we > need to say anything about NULL ciphersuites? RFC7525 says you MUST > NOT negotiate those, so it's probably ok, unless you want to > re-enforce that here. My opinion is that we're covered by RFC7525/BCP195, which is referenced in the next section under Handshake and Authentication. If we specifically mention NULL encryption, then wouldn't we also need to mention RC4, "not less than 112 bits" and any other requirements from RFC7525? > > - 3.2: "make use of trusted a SPKI Fingerprint pinset" needs to be > rephrased. Do you say that because SPKI is not spelled out at this point, or something else? We've since expanded SPKI here. > > - 3.4, 2nd last para: this recommends using tickets (RFC5077), which > is fine. RFC7525 (section 3.4) suggests changing tickets at least > weekly. Is that suggestion also good here or would it be better to > recommend (or suggest) some other ticket lifetime? I'd guess > it's fine but maybe you know better? Ticket lifetime hasn't come up before, so I would assume the RFC7525 recommendation is fine. > > - 4.1, RFC 7435 is about "opportunistic security" and not about > "opportunistic encryption." That followed a long terminology debate, > so you might want to s/encryption/security/ there. (But I don't care > personally:-) I've changed it to opportunistic encryption. > > - 4.1, last para: OS never provides "guaranteed" privacy. I think > what you mean is that while you're always vulnerable to an on-path > attacker, if there is no such attacker then you do get privacy (to > the recursive) albeit with no guarantee. I think that's subtly > different from what's stated. Okay if we just change "provides guaranteed privacy" to "provides privacy" ? > > - 4.2, "The user MUST be alerted" needs a qualification - what if > it's my calendar running in the background? I'd prepend a "Where > possible,... " at least. Agreed. I've inserted "whenever possible" > > - Section 7: I'm not clear from the note if you do or don't want > this text in the RFC. I'd suggest keeping it. (Except the note.) Agreed. I've removed "prior to publication" from the note. > > - Section 9, point 4: I think it'd be fair to note that naive > padding schemes may not work as well as planned against traffic > analysis, and to say that implementations that allow for flexibility > there might be good so that we can experiment with ways of > mitigating traffic analysis. How does this look to you? Since padding of DNS messages is new, implementations might need to support multiple types of padding or other mitigation techniques in response to traffic analysis threats. > > - Section 10: This contradicts the front page which has 6 names > listed. > contradiction removed. DW
- [dns-privacy] Stephen Farrell's Discuss on draft-… Stephen Farrell
- Re: [dns-privacy] Stephen Farrell's Discuss on dr… Wessels, Duane
- Re: [dns-privacy] Stephen Farrell's Discuss on dr… Stephen Farrell
- Re: [dns-privacy] Stephen Farrell's Discuss on dr… Wessels, Duane
- Re: [dns-privacy] Stephen Farrell's Discuss on dr… Wessels, Duane
- Re: [dns-privacy] Stephen Farrell's Discuss on dr… Stephen Farrell
- Re: [dns-privacy] Stephen Farrell's Discuss on dr… Wessels, Duane
- Re: [dns-privacy] Stephen Farrell's Discuss on dr… Stephen Farrell